From: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Parav Pandit <parav-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: [PATCH rdma-rc 2/7] IB/core: Fix qp_sec use after free access
Date: Sun, 24 Sep 2017 21:46:30 +0300 [thread overview]
Message-ID: <20170924184635.31948-3-leon@kernel.org> (raw)
In-Reply-To: <20170924184635.31948-1-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
From: Parav Pandit <parav-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
When security_ib_alloc_security fails, qp->qp_sec memory is freed.
However ib_destroy_qp still tries to access this memory which result
in kernel crash. So its initialized to NULL to avoid such access.
Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs")
Signed-off-by: Parav Pandit <parav-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Reviewed-by: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
---
drivers/infiniband/core/security.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c
index 70ad19c4c73e..88bdafb297f5 100644
--- a/drivers/infiniband/core/security.c
+++ b/drivers/infiniband/core/security.c
@@ -432,8 +432,10 @@ int ib_create_qp_security(struct ib_qp *qp, struct ib_device *dev)
atomic_set(&qp->qp_sec->error_list_count, 0);
init_completion(&qp->qp_sec->error_complete);
ret = security_ib_alloc_security(&qp->qp_sec->security);
- if (ret)
+ if (ret) {
kfree(qp->qp_sec);
+ qp->qp_sec = NULL;
+ }
return ret;
}
--
2.14.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-09-24 18:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-24 18:46 [PATCH rdma-rc 0/7] RDMA core, IPoiB and mlx5 fixes Leon Romanovsky
[not found] ` <20170924184635.31948-1-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2017-09-24 18:46 ` [PATCH rdma-rc 1/7] IB/core: Fix typo in the name of the tag-matching cap struct Leon Romanovsky
[not found] ` <20170924184635.31948-2-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2017-09-24 20:18 ` Jiri Pirko
2017-09-25 3:45 ` Leon Romanovsky
[not found] ` <20170925034538.GK25094-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2017-09-25 6:51 ` Jiri Pirko
2017-09-24 18:46 ` Leon Romanovsky [this message]
2017-09-24 18:46 ` [PATCH rdma-rc 3/7] IB: Correct MR length field to be 64-bit Leon Romanovsky
2017-09-24 18:46 ` [PATCH rdma-rc 4/7] IB/ipoib: Fix sysfs Pkey create<->remove possible deadlock Leon Romanovsky
2017-09-24 18:46 ` [PATCH rdma-rc 5/7] IB/ipoib: Fix inconsistency with free_netdev and free_rdma_netdev Leon Romanovsky
2017-09-24 18:46 ` [PATCH rdma-rc 6/7] IB/mlx5: Simplify mlx5_ib_cont_pages Leon Romanovsky
2017-09-24 18:46 ` [PATCH rdma-rc 7/7] IB/mlx5: Fix NULL deference on mlx5_ib_update_xlt failure Leon Romanovsky
2017-09-29 14:56 ` [PATCH rdma-rc 0/7] RDMA core, IPoiB and mlx5 fixes Doug Ledford
[not found] ` <1506697001.2919.12.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-09-29 15:01 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170924184635.31948-3-leon@kernel.org \
--to=leon-dgejt+ai2ygdnm+yrofe0a@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=parav-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.